It starts with the fact I can't install the XML::Sig module without errors. I'm not sure the final error in my Perl program is because of that, so please allow me to explain.

First of all the problem at hand. I need to add a digital signature to an XML::Sig apparently is exactly what I need. XML::Sig isn't installed on my system so I first tried to install it manually. That failed because it was missing a lot of prerequisites. so I tried to install it through

Code

perl -MCPAN -e shell

cpan> install XML::Sig

That eventually gave an error when it tried to install the Crypt::OpenSSL::X509 prerequisite:

Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig
[In reply to]

Can't Post

Perhaps I should explain what I'm trying to do.

I'm trying to implement an online payment system using "IDeal" (which is what we use here in the Netherlands). Communication between the "Merchant" (me) and the "Aquirer" (the bank) is done by sending XML messages.

Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig
[In reply to]

Can't Post

When building, you might want to redirect the output (both stdout and stderr) to a file so that you can review it in more detail if the build fails.

Always start with the very first error/warning when troubleshooting. Often a single problem can/will propagate down the chain and cause additional errors/warnings.

Look at the test file source code when a test fails to see what it was doing. Sometimes a failure of an "insignificant" test can cause the entire build to fail, which is one of the reasons why the "force" option is available when building. Sometimes the test itself is buggy and causes false negative (i.e., failure).

Re: [FishMonger] Trying to add a digital signature to an XML with XML::Sig
[In reply to]

Can't Post

In Reply To

When building, you might want to redirect the output (both stdout and stderr) to a file so that you can review it in more detail if the build fails.

I redirected both stdout and stderr to a file and looked at the complete output. The only two modules that fail are Crypt::OpenSSL::X509 and XML::Sig. The messages I'm getting are exactly what can be seen in my first post.

I did a forced build of Crypt::OpenSSL::X509 (since I don't need X509 anyway) but then I still get an error trying to build XML::Sig :

(PS: I was able to get rid of this error by editing Sig.pm and uncommenting line 192-194. These lines split the certificate in 64 char long lines. But that did not make a difference in the error below)

So I did a forced build of XML::Sig. When I run my Perl code, I get the following error message:

Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig
[In reply to]

Can't Post

As it turns out, I can't use XML::Sig to digitally sign my XML for several reasons. So I just wrote my own code to sign the XML. But whenever I send the signed XML to the bank, it returns an "invalid electronic signature" error. And I can't figure out why.

"SignedInfo" is the node that needs to be signed using RSAWithSHA256. My code looks like this:

Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig
[In reply to]

Can't Post

Well, I do not know anything about what you are doing, but if the bank says "invalid electronic signature", I would not rule out a problem in the signature. The bank's message could certainly be wrong, but you can't be sure until you've found the actual problem.

Re: [Laurent_R] Trying to add a digital signature to an XML with XML::Sig
[In reply to]

Can't Post

In Reply To

Well, I do not know anything about what you are doing, but if the bank says "invalid electronic signature", I would not rule out a problem in the signature. The bank's message could certainly be wrong, but you can't be sure until you've found the actual problem.

Yes, I realize something must be wrong with the signature. ;)

But what I meant is that apparently the way I sign the data is correct. But I'm probably signing the wrong thing. And I can't figure out where I go wrong.

According to the documentation:

* The entire XML must be signed as described by the W3C XMLdsig specifications * For the purpose of generating the signature value, the exclusive canonicalization algorithm must be used. * The syntax for an enveloped signature must be used. The signature itself must be removed from the XML message using the default transformation prescribed for this purpose. * For signature purposes the RSAWithSHA256 algorithm must be used. RSA keys must be 2,048 bits long.

Now as I understand XML signing, only the SignedInfo node is signed (because it contains - inside "References" - digest values of XML content thats needs signed). I am 100% sure the SignedInfo I generate is correct. I'm also pretty sure I'm signing the correct way (see code above). Yet the resulting signature is not accepted. The flow is this:

Re: [Zippy1970] Trying to add a digital signature to an XML with XML::Sig
[In reply to]

Can't Post

After reading some more, I'm getting more and more convinced the error is in the canonicalization step. I simply don't understand canonicalization very well. I understand its purpose but I don't understand what it is supposed to do (exactly).